Saturday, May 21, 2011

The whole concept of "Security questions", usually used to recover an online account in case of lost credentials is quite flawed by definition, but what Pearson VUE, the company managing tests and certification (mostly) in IT is doing is beyond my comprehension.

Have a look at the below screenshot.

Pearson VUE is serious about account safety. That’s why we’re requiring all web users to create security questions. Select two questions below, one from each drop-down menu. Then type your answers in the provided fields and click Next.We’ve designed questions that would be hard to guess.

Doesn't sound THAT bad, does it? But check the preselected questions:

Who is your favorite actor, musician, or artist?
What was your favorite place to visit as a child?
What is your favorite song?
What is the title of your favorite book?
What was your most memorable gift as a child?
What was the name of your first toy animal?
Who is your favorite athlete?

What is the first and last name of the best man at your wedding?
What is the name of the first company for which you worked?
What is your dream occupation?
What is your oldest sibling's (brother or sister) nickname?
What is your favorite food?
In what city did you first meet your spouse or significant other?
What is your spouse or significant other's nickname?

Sounds like exactly the type of questions that have answers on one's Facebook or blog page, doesn't it?

And their Security tips do not make it any better - they limit the length of the answer and make it caps insensitive. And asking me not to tell my spouse's nick name to anyone ???

* Answers may contain no more than 50 characters.
* Answers are NOT case sensitive (caps or no caps are allowed).
* Make sure the answer is not related to your username or password in any way.
* Do not tell anyone this information.
* Do not send this information by email.
* Change this information periodically in Change Sign In under My Account.

Combine this with the way they manage their site's SSL certificates ... :